---
layout: 'docs'
page_title: 'HA cluster with Raft and TLS'
sidebar_current: 'docs-platform-k8s-examples-ha-tls'
description: >-
  Learn how to set up a Raft HA Vault cluster with TLS certificate.
---

> [!IMPORTANT]  
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.

# HA cluster with Raft and TLS

The overview for [Integrated Storage and
TLS](/vault/docs/concepts/integrated-storage#integrated-storage-and-tls) covers
the various options for mitigating TLS verification warnings and bootstrapping
your Raft cluster.

Without proper configuration, you will see the following warning before cluster
initialization:
```shell
core: join attempt failed: error="error during raft bootstrap init call: Put "https://vault-${N}.${SERVICE}:8200/v1/sys/storage/raft/bootstrap/challenge": x509: certificate is valid for ${SERVICE}, ${SERVICE}.${NAMESPACE}, ${SERVICE}.${NAMESPACE}.svc, ${SERVICE}.${NAMESPACE}.svc.cluster.local, not vault-${N}.${SERVICE}"
```

The examples below demonstrate two specific solutions. Both solutions ensure
that the common name (CN) used for the `leader_api_addr` in the Raft stanza
matches the name(s) listed in the TLS certificate.

## Before you start

1. Follow the steps from the example [HA Vault Cluster with Integrated
Storage](/vault/docs/platform/k8s/helm/examples/ha-with-raft) to build the cluster.

2. Follow the examples and instructions in [Standalone Server with
TLS](/vault/docs/platform/k8s/helm/examples/standalone-tls) to create a TLS
certificate.

## Solution 1: Use auto-join and set the TLS server in your Raft configuration

The join warning disappears if you use auto-join and set the expected TLS
server name (`${CN}`) with
[`leader_tls_servername`](/vault/docs/configuration/storage/raft#leader_tls_servername)
in the Raft stanza for your Vault configuration.

For example:
<CodeBlockConfig highlight="6,14,22">

```hcl
storage "raft" {
  path = "/vault/data"

  retry_join {
    leader_api_addr = "https://vault-0.${SERVICE}:8200"
    leader_tls_servername = "${CN}"
    leader_client_cert_file = "/vault/tls/vault.crt"
    leader_client_key_file = "/vault/tls/vault.key"
    leader_ca_cert_file = "/vault/tls/vault.ca"
  }

  retry_join {
    leader_api_addr = "https://vault-1.${SERVICE}:8200"
    leader_tls_servername = "${CN}"
    leader_client_cert_file = "/vault/tls/vault.crt"
    leader_client_key_file = "/vault/tls/vault.key"
    leader_ca_cert_file = "/vault/tls/vault.ca"
  }

  retry_join {
    leader_api_addr = "https://vault-2.${SERVICE}:8200"
    leader_tls_servername = "${CN}"
    leader_client_cert_file = "/vault/tls/vault.crt"
    leader_client_key_file = "/vault/tls/vault.key"
    leader_ca_cert_file = "/vault/tls/vault.ca"
  }
}
```

</CodeBlockConfig>

## Solution 2:  Add a load balancer to your Raft configuration

If you have a load balancer for your Vault cluster, you can add a single
`retry_join` stanza to your Raft configuration and use the load balancer
address for `leader_api_addr`.

For example:
<CodeBlockConfig highlight="5">

```hcl
storage "raft" {
  path = "/vault/data"

  retry_join {
    leader_api_addr = "https://vault-active:8200"
    leader_client_cert_file = "/vault/tls/vault.crt"
    leader_client_key_file = "/vault/tls/vault.key"
    leader_ca_cert_file = "/vault/tls/vault.ca"
  }
}
```

</CodeBlockConfig>

